Securing industrial production from sophisticated attacks

ABSTRACT

A manufacturing system is disclosed herein. The manufacturing system includes one or more stations, a monitoring platform, and a control module. Each station of the one or more stations is configured to perform at least one step in a multi-step manufacturing process for a component. The monitoring platform is configured to monitor progression of the component throughout the multi-step manufacturing process. The control module is configured to detect a cyberattack to the manufacturing system. The control module is configured to perform operations. The operations include receiving control values for a first station of the one or more stations. The operations further include determining that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms. The operations further include generating an alert to cease processing of the component. In some embodiments, the operations further include correcting errors caused by the cyberattack.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. Provisional Application Ser. No. 62/938,158, filed Nov. 20, 2019, which is hereby incorporated by reference in its entireties.

FIELD OF DISCLOSURE

The present disclosure generally relates to a system, method, and media for manufacturing processes.

BACKGROUND

The past several decades of cyberattacks have witnessed a startling degree of proliferation, adaptation, specificity, and sophistication. Industrial and military security is the study of walls, physical and digital, which limit malicious insertion or removal of information. For high-security factories and military installations, this means creating systems that are removed from the global computer network and often removed from internal networks.

SUMMARY

In some embodiments, a manufacturing system is disclosed herein. The manufacturing system includes one or more stations, a monitoring platform, and a control module. Each station of the one or more stations is configured to perform at least one step in a multi-step manufacturing process for a component. The monitoring platform is configured to monitor progression of the component throughout the multi-step manufacturing process. The control module is configured to detect a cyberattack to the manufacturing system, the control module configured to perform operations. The operations include receiving control values for a first station of the one or more stations. The control values include attributes of the first processing station. The operations further include determining that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms. The operations further include, based on the determining, generating an alert to cease processing of the component.

In some embodiments, a computer-implemented method is disclosed herein. A computing system receives control values for a first station of one or more stations of a manufacturing system configured to process a component. The control values include attributes of the first station. The computing system determines that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms. The computing system generates an alert to cease processing of the component, based on the determining. The computing system generates a set of actions to correct for errors caused by the cyberattack. The set of actions is associated with downstream stations of the manufacturing system.

In some embodiments, a manufacturing system is disclosed herein. The manufacturing system includes one or more stations, a monitoring platform, and a control module. Each station of the one or more stations is configured to perform at least one step in a multi-step manufacturing process for a component. The monitoring platform is configured to monitor progression of the component throughout the multi-step manufacturing process. The control module is configured to detect a cyberattack to the manufacturing system, the control module configured to perform operations. The operations include receiving control values for a first station of the one or more stations. The control values include attributes of the first station. The operations further included determining that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms. The operations further include generating an alert to cease processing of the component, based on the determining. The operations further include generating, using one or more second machine learning algorithms, a set of actions to correct for errors caused by the cyberattack. The set of actions is associated with downstream stations of the manufacturing system.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited features of the present disclosure can be understood in detail, a more particular description of the disclosure, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments of this disclosure and are therefore not to be considered limiting of its scope, for the disclosure may admit to other equally effective embodiments.

FIG. 1 is a block diagram illustrating a manufacturing environment, according to example embodiments.

FIG. 2 is a block diagram illustrating architecture of a single-input, single-output system implementing Kalman Filter, according to example embodiments.

FIG. 3 is a block diagram illustrating architecture of a system implementing autoencoder, according to example embodiments.

FIG. 4 is a block diagram illustrating architecture of a system implementing a reinforcement learning approach using machine learning module, according to example embodiments.

FIG. 5 is a flow diagram illustrating a method of managing a cyberattack to a manufacturing process, according to example embodiments.

FIG. 6A illustrates a system bus computing system architecture, according to example embodiments.

FIG. 6B illustrates a computer system having a chipset architecture, according to example embodiments.

To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the figures. It is contemplated that elements disclosed in one embodiment may be beneficially utilized on other embodiments without specific recitation.

DETAILED DESCRIPTION

Manufacturing processes may be complex and include raw materials being processed by different process stations (or “stations”) until a final product is produced. In some embodiments, each process station receives an input for processing and may output an intermediate output that may be passed along to a subsequent (downstream) process station for additional processing. In some embodiments, a final process station may receive an input for processing and may output the final product or, more generally, the final output.

In some embodiments, each station may include one or more tools/equipment that may perform a set of process steps. Exemplary process stations may include, but are not limited to, conveyor belts, injection molding presses, cutting machines, die stamping machines, extruders, computer numerical control (CNC) mills, grinders, assembly stations, three-dimensional printers, quality control stations, validation stations, and the like.

In some embodiments, operations of each process station may be governed by one or more process controllers. In some embodiments, each process station may include one or more process controllers that may be programmed to control the operation of the process station. In some embodiments, an operator, or control algorithms, may provide the station controller with station controller setpoints that may represent the desired value, or range of values, for each control value. In some embodiments, values used for feedback or feed forward in a manufacturing process may be referred to as control values. Exemplary control values may include, but are not limited to: speed, temperature, pressure, vacuum, rotation, current, voltage, power, viscosity, materials/resources used at the station, throughput rate, outage time, noxious fumes, pH, light absorption, particle density, and geometric conformation, and the like.

Statistical process control (SPC) is a method of quality control which employs statistical methods to monitor and control a process. Generally, SPC calls for process standards to be established for each step in a manufacturing process and monitored throughout the production life cycle. The goal of SPC is to continuously improve the process through the life cycle.

For purpose of SPC, it is assumed that, as long as each node is operating within specification, the final product will also be within specification. The specifications may be set based on subject matter expertise and historical performance. The dependability and impact of one node onto the next or subsequent nodes is not directly adjusted in SPC; instead, each sub-process may be examined as an independent entity. This approach leads to wider margins for the operating condition of each node, preventing the system from even operating in the absolute highest efficiency or stability. From a security perspective, this margin may be targeted by sophisticated process cyberattacks. If a single node or several nodes in a system start to operate at the upper bounds (or lower bounds) of their specification, individual alarms will not be triggered, but the overall process quality will be affected. This especially holds for man-in-the-middle cyberattacks, where reported sensor signals, for example, are faked by the malicious code. The life cycle of the node will also be affected, thus requiring increased downtime for repair. Several layers of downstream nodes will also be affected and, over time, the continual drift of the system will tend toward non-compliance. By that point, the correction needed to recover the system would be massive and cost prohibitive.

One or more techniques provided herein are directed to a novel approach to industrial security by treating suspect malicious activity as a process variation and correcting it by actively tuning the operating parameters of the system. As threats to industrial systems increase in number and sophistication, conventional security methods need to be overlaid with advances in process control to reinforce the system as a whole.

FIG. 1 is a block diagram illustrating a manufacturing environment 100, according to example embodiments. Manufacturing environment 100 may include a manufacturing system 102, a monitoring platform 104, and a control module 106. Manufacturing system 102 may be broadly representative of a multi-step manufacturing system. In some embodiments, manufacturing system 102 may be representative of an assembly line system, where each processing station may be representative of a human worker. In some embodiments, manufacturing system 102 may be representative of a manufacturing system for use in additive manufacturing (e.g., 3D printing system). In some embodiments, manufacturing system 102 may be representative of a manufacturing system for use in subtractive manufacturing (e.g., CNC machining). In some embodiments, manufacturing system 102 may be representative of a manufacturing system for use in a combination of additive manufacturing and subtractive manufacturing. More generally, in some embodiments, manufacturing system 102 may be representative of a manufacturing system for use in a general manufacturing process.

Manufacturing system 102 may include one or more stations 108 ₁-108 n (generally, “station 108”). Each station 108 may be representative of a step and/or station in a multi-step manufacturing process. For example, each station 108 may be representative of a layer deposition operation in a 3D printing process (e.g., station 108 ₁ may correspond to layer 1, station 108 ₂ may correspond to layer 2, etc.). In another example, each station 108 may correspond to a specific processing station. In another example, each station 108 may correspond to a specific human operator performing a specific task in an assembly line manufacturing process.

Each station 108 may include a process controller 114 and control logic 116. Each process controller 114 ₁-114 n may be programmed to control the operation of each respective station 108. In some embodiments, control module 106 may provide each process controller 114 with station controller setpoints that may represent the desired value, or range of values, for each control value. Control logic 116 may refer to the attributes/parameters associated with a station's 108 process steps. In operation, control logic 116 for each station 108 may be dynamically updated throughout the manufacturing process by control module 106, depending on a current trajectory of a final quality metric.

Monitoring platform 104 may be configured to monitor each station 108 of manufacturing system 102. In some embodiments, monitoring platform 104 may be a component of manufacturing system 102. For example, monitoring platform 104 may be a component of a 3D printing system. In some embodiments, monitoring platform 104 may be independent of manufacturing system 102. For example, monitoring platform 104 may be retrofit onto an existing manufacturing system 102. In some embodiments, monitoring platform 104 may be representative of an imaging device configured to capture an image of a product or tooling (e.g., a worker or a process tool) at each step of a multi-step process. For example, monitoring platform 104 may be configured to capture an image of the component at each station 108 and/or an image of a component developing the product at each station 108 (e.g., tooling, human, etc.). Generally, monitoring platform 104 may be configured to capture information associated with production of a product (e.g., an image, a voltage reading, a speed reading, etc.) and/or tool (e.g., hand position, tooling position, etc.), and provide that information, as input, to control module 106 for evaluation.

Control module 106 may be in communication with manufacturing system 102 and monitoring platform 104 via one or more communication channels. In some embodiments, the one or more communication channels may be representative of individual connections via the Internet, such as cellular or Wi-Fi networks. In some embodiments, the one or more communication channels may connect terminals, services, and mobile devices using direct connections, such as radio frequency identification (RFID), near-field communication (NFC), Bluetooth™, low-energy Bluetooth™ (BLE), Wi-Fi™, ZigBee™, ambient backscatter communication (ABC) protocols, USB, WAN, or LAN.

Control module 106 may be configured to control each process controller of manufacturing system 102. For example, based on information captured by monitoring platform 104, control module 106 may be configured to adjust process controls associated with a specific station 108. In some embodiments, control module 106 may be configured to adjust process controls of a specific station 108 based on a projected final quality metric.

As discussed above, conventional approaches to detecting process attacks various SPC techniques. SPC is a static, non-interventional approach to process control, where well-defined statistical properties are passively observed to pass or fail at each node. It is only after the last node's processing that these conventional systems make a decision as to whether to keep or discard the manufactured product.

To improve upon conventional processes, control module 106 includes error detection module 130. Error detection module 130 may be configured to detect an error at a given station 108 or node of manufacturing system 102. For example, error detection module 130 used as part of a dynamic, interventional approach to process control, where each node subsequent to the node causing detected damage is woven into an optimization problem (e.g., a damage recovery problem) and actively controlled to instantiate a solution to it. In some embodiments, this process may be done in real-time or near real-time, and while each cycle is ongoing, rather than at the end of a given cycle.

To understand the one or more techniques implemented by error detection module 130, it is important to understand how control module 106 defines a manufacturing system (e.g., manufacturing system 102). A manufacturing system may be defined using a wide variety of topological schemes, including feedback and feedforward organization. In some embodiments, a manufacturing system, F, may be defined as a linear sequence of n process nodes (or stations 108), labeled 1, . . . , N, connected in a feed forward-linked chain. For example:

F:→1→2→ . . . →i→ . . . →n

Similarly, in some embodiments, a manufacturing system, F, may be defined as a non-linear sequence of n process nodes (or stations 108), labeled 1, . . . , N. In some embodiments, the processing done by each node i may have two attributed distributions: an expected distribution, Q_(i); and an observed distribution, P_(i). Q_(i) may be characterized by μ_(Q)and σ_(Q) _(i) . If Q_(i)=N(μ_(Q) _(i) , σ_(q) ²), then Q_(i) may be completely characterized. P_(i) may be characterized by μ_(p) _(i) and σ_(p) _(i) . If P_(i)=N(μ_(p) _(i) , σ_(p) _(i) ²), then P_(i) may be completely characterized.

In some embodiments, the damage caused by node i may be defined as the Kullback-Leibler divergence of P_(i) with respect to Q_(i):

$d_{i} = {D_{KL}\left( {{P_{i}\left. Q_{i} \right)} = {\sum\limits_{x \in X}{{P_{i}(x)}{\log\left( \frac{P_{i{(x)}}}{Q_{i}(x)} \right)}}}} \right.}$

In some embodiments, the damage may be cumulative, or additive across F. For example:

$d_{f} = {\sum\limits_{i = 1}^{n}d_{i}}$

Referring back to error detection module 130, error detection module 130 may be configured to detect damage or an error at a given node, k of manufacturing system 102. For example, if error detection module 130 detects node k has caused damage (i.e., has produced a damaged or distorted distribution), then error detection module 130 may employ a control strategy that samples from P_(k) and generates all subsequent resulting distributions flowing from it, P_(k+1), . . . , P_(n), such that the remaining cumulative damage, d_(k+1), . . . , d_(k), may be reduced or minimized. Accordingly, the damage recovery problem for error detection module 130 may be formulated as:

$\underset{\{{P_{{k + 1},\ldots\mspace{14mu},}P_{n}}\}}{\arg\min}\left\{ {\sum\limits_{i = {k + 1}}^{n}{D_{KL}\left( {P_{i}{}Q_{i}} \right)}} \right\}$

In some embodiments, error detection module 130 may implement one or more techniques to identify or correct damage detected at a given node. In some embodiments, error detection module 130 may use a Kalman Filter 132 to detect damage or errors at a given processing node. In some embodiments, error detection module 130 may include an autoencoder 134 to detect damage or errors at a given processing node. In some embodiments, error detection module 130 may use machine learning module 136 deep reinforcement learning techniques to detect damage or errors at a given processing node and correct detected variations caused by the damage or errors at downstream nodes or stations 108. In some embodiments, error detection module 130 may use one or more of Kalman Filter 132, an autoencoder 134, or machine learning module 136 to detect damage or errors at a given processing node and/or correct detected variations caused by the damage or errors at downstream nodes or stations 108.

In some embodiments, error detection module 130 may implement Kalman Filter 132 to detect errors at a processing node. To generalize the distribution description from above, i.e., d_(i), a single input, single-output system may be established in state-space form as:

{right arrow over ({dot over (x)})}_(i) =A _(i){right arrow over (x)}_(i) +B _(i) u _(ε,i)(t)

y _(i)(t)=C _(i) ^(T){right arrow over (x)}_(i)

for {right arrow over (x)}_(i) defined as arbitrary states of the system, y defined as the output of the system, and A, B, C may be system matrices defining the ordinary differential equation of the underlying dynamics. The input of this system, u_(ε), may be a noisy input signal defined by:

u _(ε,i) =u _(i)(t)+ε_(t)

where ∈_(t) may be the additive noise contributed by ε_(t)˜

(μ_(εi), R_(i)). In some embodiments, the observed output, y_(v), may be a function of the system output as:

y _(v,i) =y _(i)(t)+V _(t)

for a similarly noisy signal measurement, with V_(t)˜

(μ_(v,i), σ_(v,i) ²)., In some embodiments, this notation may be reconciled by establishing that y_(v,i)˜Q_(i) for a given node, i, of a process. In an unaffected system, the mean of the noise contributions may be zero, such that μ_(ε,i)=μ_(v,i)=0. In a malicious cyberattack, however, the deviation may manifest as a non-zero mean input noise.

Generally, a Kalman Filter 132 may be reliant on zero mean noise; however, in the case of a malicious cyberattack, an offset of an input instruction may manifest as a non-zero mean additive noise. As such, a Kalman Filter 132 may be construed for the presumed time-invariant system of:

{right arrow over ({dot over (x)})}_(i) =A _(i){right arrow over (x)}_(i) +B _(i) u _(ε,i)(t)

y _(i)(t)=C _(i) ^(T){right arrow over (x)}_(i)

In some embodiments, Kalman Filter 132 may be constructed using measurements of output, y_(v,i)(t) for a node or a process, and the canonical, untouched input instruction u_(i)(t). If the process is correctly calibrated, the input/output sensor measurements of a station 108 or node should have zero mean noise. However, in the case of a malicious cyberattack, there would be a non-zero bias.

In some embodiments, Kalman Filter 132 may be construed as:

{right arrow over ( x )}_(i,k) =A _(i){right arrow over ({circumflex over (x)})}_(i,k−1) +B _(i) u _(i,k)

Σ _(i,k) =A _(i)Σ_(i,k−1) A _(i) ^(T) +R _(i)

K _(i,k)=Σ _(i,k) C _(i)(C _(i) ^(T) Σ _(i,k) C _(i)+σ_(v,i) ²)⁻¹

{right arrow over ({circumflex over (x)})}_(i,k)={right arrow over ( x )}_(i,k) +K _(i,k)(y _(v,i,k) −C _(i) ^(T){right arrow over ( x )}_(i,k))

Σ_(i,k)=(I−K _(i,k) C _(i) ^(T))Σ _(i,k)

for the k^(th) sample of a process node, i, where {dot over ( )} may be the measurement update notation, Σ_(i,k) may be the covariance of the state prediction, R_(i) may be the covariance of the input noise, ε_(t), and K_(i,k) may be the Kalman gains. With a large enough sample, the innovation distribution {tilde over (y)}_(i,k)=y_(v,i,k)−C_(i) ^(T){right arrow over (x)}_(i,k) should be {tilde over (y)}_(i,k)˜

(μ_({tilde over (y)},i,k)=0, C_(i) ^(T)Σ_(i,k|k−1)C_(i)). However, with a malicious cyberattack, μ_({tilde over (y)},i,k)≠0, but this may occur naturally within minimal samples. Once a sample threshold may be met, k>k_(min), an alarm may be established for {tilde over (y)}_(i,k)>γ_(i), where γ_(i) may be tuned for a process node. If the innovation error is non-zero and above the threshold γ_(i), then error detection module 130 may determine that a malicious cyberattack may be occurring

FIG. 2 is a block diagram illustrating architecture of a single-input, single-output system (hereinafter “system 200”) implementing Kalman Filter 132, according to example embodiments.

As shown, system 200 may include a controller 202 (e.g., C(s)), a plant 204 (e.g., G(s)), a measurement 206 (e.g., H(s)), an attack 208 (e.g., A(s)), and Kalman Filter 132 (e.g., KF). In some embodiments, system 200 may include a second controller 202. In some embodiments, controller 202, plant 204, and measurement 206 may represent the basic constituents of the nodal control, while Kalman Filter 132 produced an innovation error.

In some embodiments, such as that shown in FIG. 2, a twin controller may be used as an unbiased reference for Kalman Filter 132.

Referring back to FIG. 1, in some embodiments, error detection module 130 may use an autoencoder 134 to detect anomalies corresponding to a cyberattack. For a sequence of measured outputs,{right arrow over (y)}_(v,i), an unsupervised autoencoder training can be instantiated to map an entropy of output observation on to a parameter set, θ_(AE), such that

{right arrow over ({circumflex over (y)})}_(v,i) =f({right arrow over (y)}_(v,i), θ_(AE))

In some embodiments, the error of autoencoder 134 may be defined as:

{right arrow over ({tilde over (y)})}_(v,i)={right arrow over (y)}_(v,i)−{right arrow over ({circumflex over (y)})}_(v,i)

and for a normal operation of, {right arrow over ({tilde over (y)})}_(v,i)˜

(μ_({tilde over (y)},i), Σ_({tilde over (y)},i)), where μ_({tilde over (y)}) and Σ_({tilde over (y)},i) and may be fit to the distribution using maximum likelihood. Subsequently, an anomaly score, a_(i), for a sequence may be defined as:

$a_{i} = {{\left( {{\overset{\sim}{\overset{\rightarrow}{y}}}_{v,i,\mu_{\overset{\sim}{y}},i,}\sum_{\overset{\sim}{y},i}} \right)} = {\left( {{\overset{˜}{\overset{\rightarrow}{y}}}_{v,i} - \mu_{\overset{˜}{y},i}} \right)^{T}{\sum_{\overset{˜}{y},i}^{- 1}\left( {{\overset{˜}{\overset{\rightarrow}{y}}}_{v,i} - \mu_{\overset{¯}{y},i}} \right)}}}$

Similar to the Kalman Filter 132, when the anomaly score, a_(i)>γ_(i), error detection module 130 may detect an anomaly using autoencoder 134.

FIG. 3 is a block diagram illustrating architecture of a system 300 implementing autoencoder 134, according to some embodiments. As shown, system 300 may include a controller 302 (e.g., C(s)), a plant 304 (e.g., G(s)), a measurement 306 (e.g., H(s)), an attack 308 (e.g., A(s)), autoencoder 134 (e.g., AE), and an alarm 312 (e.g.,

). Controller 302, plant 304, and measurement 306 may represent the basic constituents of the nodal control, while autoencoder 134 may detect errors. In some embodiments, error detection module 130 may trigger an alarm 312, based on a sufficient anomaly score.

Referring back to FIG. 1, in some embodiments, error detection module 130 may use one or more deep reinforcement learning techniques to identify an error or anomaly in the processing corresponding to a cyberattack. As provided above, given the definition of damage, d_(i), a delayed reward function may be formulated for a reinforcement learning agent seeking to construct a set of distributions, P_(k+1), . . . , P_(n), to solve the damage recovery problem of

$\underset{\{{P_{{k + 1},\ldots\mspace{14mu},}P_{n}}\}}{\arg\min}\left\{ {\sum\limits_{i = {k + 1}}^{n}{D_{KL}\left( {P_{i}{}Q_{i}} \right)}} \right\}$

through its actions, for {right arrow over (α)}_(i) ^(j), for i=1, . . . , n, over some set of iterations, j=1, . . . m:

${R\left( {\overset{\rightarrow}{\alpha}}^{j} \right)} = {\sum\limits_{i = {k + 1}}^{n}{r_{i}\left( {\overset{\rightarrow}{\alpha}}_{i}^{j} \right)}}$ for ${r_{i}\left( {\overset{\rightarrow}{\alpha}}_{i}^{j} \right)} = {{P_{i}\left( {\overset{\rightarrow}{\alpha}}_{i}^{j} \right)}\log\frac{P_{i}\left( {\overset{\rightarrow}{\alpha}}_{i}^{j} \right)}{Q_{i}\left( {\overset{\rightarrow}{\alpha}}_{i}^{j} \right)}}$

In some embodiments, error detection module 130 may train an agent in an actor-critic modality, such that one network may produce an action, α_(i,k), given a state {right arrow over (x)}_(i,k) for the k^(th) sample of the i^(th) node of a process, and another network may generate a prediction of Q-value, Q_(i,k) ^(π)({right arrow over (x)}_(i,k), α_(i,k)|θ_(Q,i)), learned over parameters θ_(Q,i), where π_(i)({right arrow over (x)}_(i,k), θ_(π, i)) may be a learned policy over parameters θ_(π, i). In some embodiments, the reward may be calculated using a Bellman formulation such that:

Q _(i)i({right arrow over (x)}_(i,k), α_(i,k))=r _(i,k)+γ_(i) Q _(i)({right arrow over (x)}_(i,k+1), π_(i)({right arrow over (x)}_(i,k+1))|θ_(π, i))

In some embodiments, the update law associated with the reinforcement learning technique may be:

−∇_(θ) _(πj) J=

_(α) _(i,k) _(˜p) [∇ _(α) _(i) Q _(i)({right arrow over (x)}_(i,k), α_(i,k)|θ_(π,i))]

In some embodiments, the update law may reduce or minimize the Q-value, thereby minimizing damage, and may manifest in actions aimed at returning the distribution to its canonical shape. In some embodiments, one formulation of an action may be:

In some embodiments, a formulation of an action may be:

u_(i,k)=α_(i,k)u_(i,k′) ^(*)

where u_(i,k) may be the input of {right arrow over ({dot over (x)})}_(i)=A_(i){right arrow over (x)}_(i)+B_(i)u_(ε,i)(t) and y_(i)(t)=C_(i) ^(T){right arrow over (x)}_(i), α_(i,k) may be an instruction modifier, and u_(i,k) ^(*) may be the instruction read for a particular sample, k, of node i. If this instruction is corrupted, and that corruption manifests in the states, then policy, π_(i,k), may act to correct it.

By utilizing a reinforcement learning approach, error detection module 130 may offer a new way to address system security by bundling process-based malicious cyberattacks into nominal process variations and offers direct control and correction for those variations. The approaches are not simply a method of detection or passive prevention; rather, a cyberattack may be assumed to manifest as a routine (e.g., probable) system variation, such as machine turning out of norm or raw material stock moving out of tight specification.

FIG. 4 is a block diagram illustrating architecture of a system 400 implementing a reinforcement learning approach using machine learning module 136, according to some embodiments. As shown, system 400 may be representative of a multi-node system, i=0, . . . N. For each node i, there may exist a controller 402 ₀, 402 ₁, and 402 _(N) (e.g., C₀(s), C_(i)(s), . . . C_(N)(s)), a plant 404 ₀, 404 _(o), and 404 _(N) (e.g., G₀(s), G_(i)(s), G_(N)(s)), and a measurement 406 ₀, 406 _(i), and 406 _(N) (e.g., H₀(s), H_(i)(s), H_(N)(s)). Together, the nodes may be embedded in a policy-learning feedback loop governed by the state of system 400 at time k, S_(k), sampled from data store 408 (e.g., Y), and the policy taking the current state 410 as input, π(S_(k)). An attack 412 may be represented for a single node, i, by block A(s).

In some embodiments, to identify a set of actions to take to correct the errors caused by a cyberattack, the state, S_(k), for time sample, k, may be input into a nonlinear filter, whose weights may be chosen to minimize the subsequent damage for a time sample, k+n, given an observed artifact or component. In some embodiments, the output of the filter may be a scalar or vector, which modifies the prescribed process setpoint or control values. The transform from the state to the action may be referred to as the policy.

FIG. 5 is a flow diagram illustrating a method 500 of managing a cyberattack to a manufacturing process, according to example embodiments. Method 500 may begin as step 502.

At step 502, control module 106 may receive control values from a station 108 of manufacturing system 102. In some embodiments, control module 106 may receive the control values from a process controller associated with a given station 108. The process controller may generally be programmed to control the operations of station 108. Exemplary control values may include, but are not limited to: speed, temperature, pressure, vacuum, rotation, current, voltage, power, viscosity, materials/resources used at the station, throughput rate, outage time, noxious fumes, and the like. More generally, a control value may refer to an attribute of station 108, instead of an attribute of a component being processed by station 108.

At step 504, control module 106 may determine that a cyberattack is present, based on the control values received from station 108. For example, in some embodiments, error detection module 130 may use Kalman Filter 132 to generate an anomaly score for station 108 given the control values. If, for example, the anomaly score is greater than a predefined threshold value, then control module 106 may determine that a cyberattack is currently ongoing. In another example, error detection module 130 may use autoencoder 134 to generate an anomaly score for station 108 given the control values. If, for example, the anomaly score is greater than a predefined threshold, then control module 106 may determine that a cyberattack is currently ongoing. In another example, error detection module 130 may use machine learning module 136 to predict a Q value corresponding to station 108. If, for example, the Q value is outside of a range of acceptable values, then control module 106 may determine that a cyberattack is currently ongoing.

In some embodiments, method 500 may include step 506. At step 506, responsive to determining that a cyberattack is occurring, control module 106 may trigger an alert or alarm. In some embodiments, the alert or alarm may be a notification to a user overseeing manufacturing system 102. In some embodiments, the alert or alarm may be a signal that stops or ceases processing of each station 108 ₁-108 _(n) of manufacturing system 102.

In some embodiments, method 500 may include steps 508-510. At step 508, responsive to determining that a cyberattack is occurring, control module 106 may generate one or more actions to correct for the damage caused by the cyberattack. For example, error detection module 130 may train an agent in an actor-critic modality, such that one network may produce an action, α_(i,k), given a state {right arrow over (x)}_(i,k) for the k^(th) sample of the i^(th) node of a process, and another network may generate a prediction of Q-value, Q_(i,k) ^(π)({right arrow over (x)}_(i,k), α_(i,k)|θ_(Q,i,)), learned over parameters θ_(Q,i), where π_(i)({right arrow over (x)}_(i,k), θ_(π,i)) may be a learned policy over parameters θ_(π,i). In some embodiments, the reward may be calculated using a Bellman formulation such that:

Q _(i)({right arrow over (x)}_(i,k), α_(i,k))=r _(i,k)+γ_(i) Q _(i)({right arrow over (x)}_(i,k+1), π_(i)({right arrow over (x)}_(i,k+1))|θ_(π,i))

In some embodiments, the update law associated with the reinforcement learning technique may be:

−∇_(θ) _(πj) J=

_(α) _(i,k) _(˜p)[∇_(α) _(i) Q _(i)({right arrow over (x)}_(i,k), α_(i,k)|θ_(π,i))]

In some embodiments, the update law may reduce or minimize the Q-value, thereby minimizing damage, and may manifest in actions aimed at returning the distribution to its canonical shape. In some embodiments, one formulation of an action may be:

In some embodiments, a formulation of an action may be:

u_(i,k)=α_(i,k)u_(i,k′) ^(*)

where u_(i,k) may be the input of {right arrow over ({dot over (x)})}_(i)=A_(i){right arrow over (x)}_(i)+B_(i)u_(ε,i)(t) and y_(i)(t)=C_(i) ^(T){right arrow over (x)}_(i), α_(i,k) may be an instruction modifier, and u_(i,k) ^(*) may be the instruction read for a particular sample, k, of node i. If this instruction is corrupted, and that corruption manifests in the states, then policy, π_(i,k), may act to correct it.

At step 510, control module 106 may provide downstream stations 108 with the updated actions generated by machine learning module 136. In some embodiments, control module 106 may transmit updated instructions to process controllers of each downstream station 108.

FIG. 6A illustrates a system bus computing system architecture 600, according to example embodiments. One or more components of system 600 may be in electrical communication with each other using a bus 605. System 600 may include a processor (e.g., one or more CPUs, GPUs or other types of processors) 610 and a system bus 605 that couples various system components including the system memory 615, such as read only memory (ROM) 620 and random access memory (RAM) 625, to processor 610. System 600 can include a cache of high-speed memory connected directly with, in close proximity to, or integrated as part of processor 610. System 600 can copy data from memory 615 and/or storage device 630 to cache 612 for quick access by processor 610. In this way, cache 612 may provide a performance boost that avoids processor 610 delays while waiting for data. These and other modules can control or be configured to control processor 610 to perform various actions. Other system memory 615 may be available for use as well. Memory 615 may include multiple different types of memory with different performance characteristics. Processor 610 may be representative of a single processor or multiple processors. Processor 610 can include one or more of a general purpose processor or a hardware module or software module, such as service 1 632, service 2 634, and service 3 636 stored in storage device 630, configured to control processor 610, as well as a special-purpose processor where software instructions are incorporated into the actual processor design. Processor 610 may essentially be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.

To enable user interaction with the computing device 600, an input device 645 which can be any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. An output device 635 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input to communicate with computing device 600. Communications interface 640 can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.

Storage device 630 may be a non-volatile memory and can be a hard disk or other types of computer readable media that can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 625, read only memory (ROM) 620, and hybrids thereof.

Storage device 630 can include services 632, 634, and 636 for controlling the processor 610. Other hardware or software modules are contemplated. Storage device 630 can be connected to system bus 605. In one aspect, a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as processor 610, bus 605, display 635, and so forth, to carry out the function.

FIG. 6B illustrates a computer system 650 having a chipset architecture, according to example embodiments. Computer system 650 may be an example of computer hardware, software, and firmware that can be used to implement the disclosed technology. System 650 can include one or more processors 655, representative of any number of physically and/or logically distinct resources capable of executing software, firmware, and hardware configured to perform identified computations. One or more processors 655 can communicate with a chipset 660 that can control input to and output from one or more processors 655. In this example, chipset 660 outputs information to output 665, such as a display, and can read and write information to storage device 670, which can include magnetic media, and solid state media, for example. Chipset 660 can also read data from and write data to RAM 675. A bridge 680 for interfacing with a variety of user interface components 685 can be provided for interfacing with chipset 660. Such user interface components 685 can include a keyboard, a microphone, touch detection and processing circuitry, a pointing device, such as a mouse, and so on. In general, inputs to system 650 can come from any of a variety of sources, machine generated and/or human generated.

Chipset 660 can also interface with one or more communication interfaces 690 that can have different physical interfaces. Such communication interfaces can include interfaces for wired and wireless local area networks, for broadband wireless networks, as well as personal area networks. Some applications of the methods for generating, displaying, and using the GUI disclosed herein can include receiving ordered datasets over the physical interface or be generated by the machine itself by one or more processors 655 analyzing data stored in storage 670 or 675. Further, the machine can receive inputs from a user through user interface components 685 and execute appropriate functions, such as browsing functions by interpreting these inputs using one or more processors 655.

It can be appreciated that example systems 600 and 650 can have more than one processor 610 or be part of a group or cluster of computing devices networked together to provide greater processing capability.

While the foregoing is directed to embodiments described herein, other and further embodiments may be devised without departing from the basic scope thereof. For example, aspects of the present disclosure may be implemented in hardware or software or a combination of hardware and software. One embodiment described herein may be implemented as a program product for use with a computer system. The program(s) of the program product define functions of the embodiments (including the methods described herein) and can be contained on a variety of computer-readable storage media. Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory (ROM) devices within a computer, such as CD-ROM disks readably by a CD-ROM drive, flash memory, ROM chips, or any type of solid-state non-volatile memory) on which information is permanently stored; and (ii) writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive or any type of solid state random-access memory) on which alterable information is stored. Such computer-readable storage media, when carrying computer-readable instructions that direct the functions of the disclosed embodiments, are embodiments of the present disclosure.

It will be appreciated to those skilled in the art that the preceding examples are exemplary and not limiting. It is intended that all permutations, enhancements, equivalents, and improvements thereto are apparent to those skilled in the art upon a reading of the specification and a study of the drawings are included within the true spirit and scope of the present disclosure. It is therefore intended that the following appended claims include all such modifications, permutations, and equivalents as fall within the true spirit and scope of these teachings. 

1. A manufacturing system, comprising: one or more stations, each station configured to perform at least one step in a multi-step manufacturing process for a component; a monitoring platform configured to monitor progression of the component throughout the multi-step manufacturing process; and a control module configured to detect a cyberattack to the manufacturing system, the control module configured to perform operations, comprising: receiving control values for a first station of the one or more stations, the control values comprising attributes of the first processing station; determining that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms; and based on the determining, generating an alert to cease processing of the component.
 2. The manufacturing system of claim 1, wherein the one or more machine learning algorithms comprise a Kalman Filter.
 3. The manufacturing system of claim 2, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating, using the Kalman filter, an anomaly score for the first station based on the control values; and determining that the anomaly score exceeds a threshold value indicative of a cyberattack.
 4. The manufacturing system of claim 1, wherein the one or more machine learning algorithms comprise an autoencoder.
 5. The manufacturing system of claim 4, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating, using the autoencoder, an anomaly score for the first station based on the control values; and determining that the anomaly score exceeds a threshold value indicative of a cyberattack.
 6. The manufacturing system of claim 1, wherein the one or more machine learning algorithms comprise a deep learning algorithm.
 7. The manufacturing system of claim 6, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating a predicted quality metric for the component based on the one or more control values; and determining that the predicted quality metric falls outside a range of acceptable values.
 8. A computer-implemented method, comprising: receiving, by a computing system, control values for a first station of one or more stations of a manufacturing system configured to process a component, the control values comprising attributes of the first station; determining, by the computing system, that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms; based on the determining, generating, by the computing system, an alert to cease processing of the component; and generating, by the computing system, a set of actions to correct for errors caused by the cyberattack, the set of actions associated with downstream stations of the manufacturing system.
 9. The computer-implemented method of claim 8, wherein the one or more machine learning algorithms comprise a Kalman Filter.
 10. The computer-implemented method of claim 9, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating, using the Kalman filter, an anomaly score for the first station based on the control values; and determining that the anomaly score exceeds a threshold value indicative of a cyberattack.
 11. The computer-implemented method of claim 8, wherein the one or more machine learning algorithms comprise an autoencoder.
 12. The computer-implemented method of claim 11, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating, using the autoencoder, an anomaly score for the first station based on the control values; and determining that the anomaly score exceeds a threshold value indicative of a cyberattack.
 13. The computer-implemented method of claim 8, wherein the one or more machine learning algorithms comprise a deep learning algorithm.
 14. The computer-implemented method of claim 13, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating a predicted quality metric for the component based on the one or more control values; and determining that the predicted quality metric falls outside a range of acceptable values.
 15. A manufacturing system, comprising: one or more stations, each station configured to perform at least one step in a multi-step manufacturing process for a component; a monitoring platform configured to monitor progression of the component throughout the multi-step manufacturing process; and a control module configured to detect a cyberattack to the manufacturing system, the control module configured to perform operations, comprising: receiving control values for a first station of the one or more stations, the control values comprising attributes of the first station; determining that there is a cyberattack based on the control values for the first station using one or more machine learning algorithms; based on the determining, generating an alert to cease processing of the component; and generating, using one or more second machine learning algorithms, a set of actions to correct for errors caused by the cyberattack, the set of actions associated with downstream stations of the manufacturing system.
 16. The manufacturing system of claim 15, wherein the one or more machine learning algorithms comprise a Kalman Filter and the one or more second machine learning algorithms comprise a deep learning algorithm.
 17. The manufacturing system of claim 16, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating, using the Kalman filter, an anomaly score for the first station based on the control values; and determining that the anomaly score exceeds a threshold value indicative of a cyberattack.
 18. The manufacturing system of claim 15, wherein the one or more machine learning algorithms comprise an autoencoder.
 19. The manufacturing system of claim 18, wherein determining that there is a cyberattack based on the control values for the first station using the one or more machine learning algorithms comprises: generating, using the autoencoder, an anomaly score for the first station based on the control values; and determining that the anomaly score exceeds a threshold value indicative of a cyberattack.
 20. The manufacturing system of claim 15, wherein the one or more machine learning algorithms comprise a deep learning algorithm. 